Microsoft has the dubious honour of taking out eight spots in the top 15 list of routinely exploited vulnerabilities, as customers fail to patch their software and remain open to attacks, according to cyber security agencies in the main English speaking countries.
The company's Exchange Server was hit hard in 2021 [pdf] as attackers hammered the communications and calendaring platform with three ProxyShell and four ProxyLogon vulnerabilities.
A remote code execution bug for Exchange Server, and the ZeroLogon vulnerability for Microsoft's NetLogon Remote Protocoll (MS-NRPC), both discovered in 2020 were also massively exploited last year.
Atlassian's Confluence Server and Data Centre and the Apache Log4j Log4Shell remote code execution bugs also made the list, along with vulnerabilities in VMware's vSphere Client, Pulse Secure Connect and Fortinet FortiOS and FortiProxy.
Customers neither patching their installations of vulnerable software, nor mitigating against exploitation, means threat actors don't need to develop sophisticated tools and simply use publicly known bugs, the United States National Security Agency's cyber security director Rob Joyce pointed out.
Australian Cyber Security Centre chief Abigail Bradshaw said malicious cyber actors continue to exploit known bugs and outdated software to attack private and public networks globally.
Lisa Fong, director of New Zealand's National Cyber Security Centre, warned that malicious actors are increasing the speed and scale at which they take advantage of newly disclosed vulnerabilities.
On top of vulnerability and configuration management with software being updated in a timely fashion, NSA, FBI, ACSC, UK and NZ NCSC, and Canada's CCSC advised users to implement and enforce multi-factor authentication (MFA).
If MFA is not available, employees working remotely should be required to use strong passwords, and administrators should regularly review, validate or remove privileged accounts, the cyber security agencies said in their joint advisory.
Encrypting network traffic, disabling unused services and devices, securing internet-facing equipment and implementing positive controls and architecture also help mitigate against exploitation.
The cyber security agencies noted that over 20,000 common vulnerabilities were disclosed in 2021 alone.